InvalidAccessKeyId Error when attemping to upload object to S3 using temporary credentials issued by STS.

[morgan-dgk]

Hi all,

Hoping somebody can assist me with this issue as I have been attempting to resolve for several days now.

I am attempting to upload an object directly to a private S3 bucket using a presigned url. This url is generated using the code below:

const TTL = 600
const UUID_NAMESPACE = '9369b034-56d8-4371-b530-15f88d7e42cb'

/**
Handler for client file upload. 

The bucket name and temporary credentials for access to the bucket are provided by the auth response from
the lambda authorizer and are accessible on `requestContext.authorizer.lambda.credentials`. 
*/

export const lambdahandler = async (event) => {
  const credentials = event.requestcontext.authorizer.lambda.credentials;
  const bucket = event.requestcontext.authorizer.lambda.bucket;
  const data = json.parse(event.body)
  const filename = data.file_name;

  const key = uuidv5(filename, uuid_namespace);
  
  const client = getScopedS3Client(credentials);

  const upload_options = {
    bucket: bucket,
    key: key,
    fields: {
      "x-amz-meta-filename": filename
    },
    expires: ttl
  }

  const resp = await createPresignedPost(client, upload_options);

  return {
    statuscode: "200",
    headers: {
      "content-type": "application/json"
    },
    body: json.stringify(resp)
  }
  
}

where getScopedS3Client is a simple helper function, which creates a client using the temporary credentials returned by STS:

import { S3Client } from "@aws-sdk/client-s3"

/**
Creates an S3 client based on the previously retrieved
scoped temporary access credentials. 

@param temp_access_credentials {Object} - a set of temporary access credentials retrieved from AWS sts. 
@param {string} temp_access_credentials.accessKeyId
@param {string} temp_access_credentials.secretAccessKey
@param {string} temp_access_credentials.sessionToken
*/

export function getScopedS3Client(temp_access_credentials) {

  return new S3Client({
    region: "us-west-2",
    credentials: temp_access_credentials
  }) 
}

This approach works fine when generating presigned URLs to download objects from the relevant S3 bucket. However, when I attempt to send multipart/form-encoded data with the keys/fields returned from the createPresignedPost I get an InvalidAccessKeyId returned from the S3 endpoint.

I have verified that the credentials included in the presigned url matches the temporary credentials returned by STSAssumeRoleCommand. The IAM role used to generate the temporary credentials from STS has full access to S3 bucket/object operations.

I am also including the X-Amz-Security-Token field with the session token returned with the temporary credentials generated when attempting to post the form data.

Is this a limitation with the JS SDK or S3 endpoints? I believe I had a similar example previously working using boto3 but have so far been unable to resolve this issue.

Any help is much appreciated!

[morgan-dgk]

Okay, solved this finally.

The order of form fields is important for presigned post requests. It appears the documentation for the SDK may be missing some mandatory fields.

I got this working for the V4 signature with the form fields ordered as below:

• key
• x-amz-credential
• x-amz-algorithm
• x-amz-date
• policy
• x-amz-security-token
• x-amz-signature
• file

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.